Spam/Phishing Attacks on Campus

DATE:                 Thursday, November 11, 2021

TO:                      All Capital University Faculty, Staff and Students

FROM:               The Department of Information Technology

SUBJ:                  Spam/Phishing Attacks on Campus

Recently there has been a sharp increase in email phishing scams due to compromised Capital user accounts.  A compromised account is one that is accessed by a cybercriminal who is not authorized to use that account.  When student or employee accounts become compromised, those accounts are used to send spam and phishing emails to people on and off campus.

The latest phishing scam on campus involves the circulation of an email message for a “dog sitting” job opportunity.  This overpayment scam plays out roughly the same way as with the “nanny or caregiver scams,” but with some slight variation.

  • The scammer will reach out to you online or via text once you give them your personal contact information stating they want to hire you. Typically this is without them interviewing or seeing you in person
  • An upfront financial advance offer is made by the scammer for your services, typically in the form of a money order from some type of “business” the scammer claims to work for, or a government “embassy”.  They may also ask you to accept deliveries or make purchases on their behalf with promises of reimbursement
  • The amount of the money order will always be written for more than the amount needed, and the recipient will be asked to keep a portion of the funds and either send the extra funds to a third party, or if they have changed their mind, return all the money as soon as possible
  • If you were asked to accept deliveries or purchase items in preparation for the dog sitting position, you may be asked to forward an upfront payment to a third party (via check, wire transfer, gift cards, etc.) to cover the cost of the materials

Although the money orders from the scammer are all fake and fraudulent, many banks will still cash them and place the funds into the pet sitter’s account within a few days.  However, usually within a month, the money order is returned as fraudulent, and the bank will withdraw the money from the pet sitter’s account.  The bank may also charge extra fees, and may pursue the pet sitter with criminal charges for cashing a fake check.

Please be aware and cautious when reviewing and/or responding to email messages with job opportunities that require you to send money up front as a condition of employment or offer to pay you in advance.  Trust your instincts and remember if it sounds too good to be true, it probably is a scam.  Never offer your birth date, SSN, username, bank, or other private information to anyone online.  Especially if they are asking you to “confirm” something for security reasons which is a red flag of a spam.  Educate yourself and read through previous email scams to get a feel for how the spam messages work.

Key Points and Red Flags in Identifying Scams

  • Paying close attention to the “From” and “Reply-to” in the email address to see if it’s a valid address you recognize
  • Check the body of the message to see if the English wording is awkward  or if there are lots of misspellings in the sentence structure
  • Be cautious if someone wants to only communicate with you via email or text messaging. Scammers do not want to talk to you over the phone or video chat
  • Most job postings like this will state that they are “moving to your area”, however, they will not be able to tell you where your area is if you question them
  • If someone is very keen on sending you money before meeting you, this is likely a scam!  Never accept a pet-sitting assignment or payment until you’ve met a potential client in person at the initial consultation.  No legitimate employer will ask you for your banking information or give you money without meeting with you
  • If a potential client urges you to transfer money using a service like Western Union or MoneyGram, it’s probably a scam. Don’t send money to someone you don’t know, either in cash or through a money transfer service. Likewise, don’t deposit a check from someone you don’t know and then transfer the money

IT works diligently to help prevent and counteract spam and phishing scams through various security appliances such as Barracuda which scans every incoming email message for spam and phishing exploits. Barracuda will catch majority of exploits, however, nothing is fool-proof and it takes the cooperation from all of our campus users to help keep the infrastructure and user accounts safe at all times.

What Do I Do If I’ve Been Scammed

  • If you or someone you know was tricked into transferring money for any reason, the Federal Trade Commission (FTC) wants to know about it: so please report it
  • Next you should report the incident to the money transfer company.  The two common companies are MoneyGram: 1-800-666-3947 (1-800-955-7777 for Spanish) or com and Western Union: 1-800-448-1492
  • Make a report and work with your bank
  • Notify and report it to the caregiver web site you were contacted through so they can stop the scammer from targeting anyone else on the site. The scammer is likely trying to prey on others who are looking for work
  • Finally, file a complaint with the Internet Crime Compliance Center (IC3) which is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center.

Visit the IT Status Page for detail information on other forms of email phishing scams:  Questions, inquiries and concerns can be directed to the IT Help Desk, or 614-236-6508.  If you suspect that you have received a phishing scam, please report it